AES (Advanced Encryption Standard)

Description

Algorithm

Block diagrams

Mathematical functions

Implementation

AES is a modern block symmetric cipher, one of the most popular ciphers in the world. It was developed in 1997 by Vincent Rijmen and Joan Daemen, and later approved as a federal encryption standard in the United States in 2002.

Block cipher with symmetric secret key

Block length = 128 bits

Key length = 128 or 192 or 256 bits

AES is considered as a strong and secure cipher. Over last few years (mostly 2005-2010) several attacks against different AES implementations were described but generally speaking they concern just some special cases and are not considered to be a threat to the AES algorithm itself.

A secret key in AES, for both data encryption and decryption, may contain 128 or 192 or 256 bits. Based on the length of the key, a different number of encrypting cycles is performed.

AES Encryption

During encryption, the input data (plaintext) is divided into 128-bit blocks. The blocks of data are presented as column-major matrices of size 4 bytes × 4 bytes, called states. The following operations are performed for all blocks:

AES Key Expansion

AES uses a secret symmetric key, which contains 128, 192, or 256 bits (that is 16, 24, or 32 bytes respectively). In order to encrypt all data blocks, the key must be expanded. The new bytes are appended to the original bytes of the key:

The first bytes of the expanded key are all bytes of the original secret key. In order to create succeeding bytes of the expanded key, the following steps must be performed, with iterations numbered from 1. Steps below should be repeated until receiving a desirable number of bytes. To simplify the notation, the length (in bytes) of the original secret key (before expansion) will be denoted as n.

In all AES operations presented below, the bytes are written in a hexadecimal notation. Each character represents four bits.

Substitution in Rijndael S-Box

show

In Rijndael S-Boxes every input byte is replaced by another byte. Values in S-Boxes were chosen in a way, that provides a maximum non-linearity of this transformation. Thanks to that, the whole AES encryption is non-linear.

The byte substitutions are presented in a table below. In the rows, there are specified the more significant halves of input bytes. In the columns, there are the less significant halves of input bytes. The value of the output byte may be found inside the table, at the intersection of the specified row and the column.

Rijndael S-Box

x0

x1

x2

x3

x4

x5

x6

x7

x8

x9

xA

xB

xC

xD

xE

xF

0x

63

7c

77

7b

f2

6b

6f

c5

30

01

67

2b

fe

d7

ab

76

1x

ca

82

c9

7d

fa

59

47

f0

ad

d4

a2

af

9c

a4

72

c0

2x

b7

fd

93

26

36

3f

f7

cc

34

a5

e5

f1

71

d8

31

15

3x

04

c7

23

c3

18

96

05

9a

07

12

80

e2

eb

27

b2

75

4x

09

83

2c

1a

1b

6e

5a

a0

52

3b

d6

b3

29

e3

2f

84

5x

53

d1

00

ed

20

fc

b1

5b

6a

cb

be

39

4a

4c

58

cf

6x

d0

ef

aa

fb

43

4d

33

85

45

f9

02

7f

50

3c

9f

a8

7x

51

a3

40

8f

92

9d

38

f5

bc

b6

da

21

10

ff

f3

d2

8x

cd

0c

13

ec

5f

97

44

17

c4

a7

7e

3d

64

5d

19

73

9x

60

81

4f

dc

22

2a

90

88

46

ee

b8

14

de

5e

0b

db

Ax

e0

32

3a

0a

49

06

24

5c

c2

d3

ac

62

91

95

e4

79

Bx

e7

c8

37

6d

8d

d5

4e

a9

6c

56

f4

ea

65

7a

ae

08

Cx

ba

78

25

2e

1c

a6

b4

c6

e8

dd

74

1f

4b

bd

8b

8a

Dx

70

3e

b5

66

48

03

f6

0e

6 1

35

57

b9

86

c1

1d

9e

Ex

e1

f8

98

11

69

d9

8e

94

9b

1e

87

e9

ce

55

28

df

Fx

8c

a1

89

0d

bf

e6

42

68

41

99

2d

0f

b0

54

bb

16

For example, for an input byte 3F, the new output byte is i75.

For decryption, the Inverse Rijndael S-Boxes are used. They can be obtained from the original Rijndael S-Boxes.

Inverse Rijndael S-Box

x0

x1

x2

x3

x4

x5

x6

x7

x8

x9

xA

xB

xC

xD

xE

xF

0x

52

09

6a

d5

30

36

a5

38

bf

40

a3

9e

81

f3

d7

fb

1x

7c

e3

39

82

9b

2f

ff

87

34

8e

43

44

c4

de

e9

cb

2x

54

7b

94

32

a6

c2

23

3d

ee

4c

95

0b

42

fa

c3

4e

3x

08

2e

a1

66

28

d9

24

b2

76

5b

a2

49

6d

8b

d1

25

4x

72

f8

f6

64

86

68

98

16

d4

a4

5c

cc

5d

65

b6

92

5x

6c

70

48

50

fd

ed

b9

da

5e

15

46

57

a7

8d

9d

84

6x

90

d8

ab

00

8c

bc

d3

0a

f7

e4

58

05

b8

b3

45

06

7x

d0

2c

1e

8f

ca

3f

0f

02

c1

af

bd

03

01

13

8a

6b

8x

3a

91

11

41

4f

67

dc

ea

97

f2

cf

ce

f0

b4

e6

73

9x

96

ac

74

22

e7

ad

35

85

e2

f9

37

e8

1c

75

df

6e

Ax

47

f1

1a

71

1d

29

c5

89

6f

b7

62

0e

aa

18

be

1b

Bx

fc

56

3e

4b

c6

d2

79

20

9a

db

c0

fe

78

cd

5a

f4

Cx

1f

dd

a8

33

88

07

c7

31

b1

12

10

59

27

80

ec

5f

Dx

60

51

7f

a9

19

b5

4a

0d

2d

e5

7a

9f

93

c9

9c

ef

Ex

a0

e0

3b

4d

ae

2a

f5

b0

c8

eb

bb

3c

83

53

99

61

Fx

17

2b

04

7e

ba

77

d6

26

e1

69

14

63

55

21

0c

7d

read more..

Multiplication of columns

show

Each column of a state matrix is multiplied by a predefined matrix of size of 4bytes x 4bytes. The result of each multiplication is a new column which contains different 4 bytes.

Multiplication of the square matrix with the column c results in creating a new column r, with new values.

Multiplication of columns

2

3

1

1

1

2

3

1

1

1

2

3

3

1

1

2

x

c0

c1

c2

c3

=

r0

r1

r2

r3

During decryption, an inverted matrix is used during this step:

Inverted matrix

e

b

d

9

9

e

b

d

d

9

e

b

b

d

9

e

read more..

Rcon Operation

show

In each iteration of the key generation process, the first byte of the current 4-byte long temporary vector is added XOR to 2 raised to the power of number one less than the current iteration number. The Rcon operation is performed in Rijndael's finite field.

These values can be calculated in runtime or stored in a table in the application memory.

Powers of x = 0x02

i

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

xi

01

02

04

08

10

20

40

80

1b

36

6c

d8

ab

4d

9a

read more..

Site under development.

A column-major matrix is a matrix, in which columns are numbered by the first index of a two-dimensional array, and rows by the second index. This affects how the matrix is stored in memory.

For example, a column-major matrix:

1

2

3

4

5

6

is stored contiguously in memory:

1

4

2

5

3

6

Both column-major and row-major arrays are used in different environments. For example, matrices are column-major in Matlab or Fortran, and row-major in programming languages C and Python.